The breadth, complexity and need for deterrence necessitates the setting up of an adequately staffed and trained DPA which is able to execute its mandate independently and effectively even when this might be against the myriad departments of the government that currently process personal data

Following the liberalisation of India’s economy, there have been a number of momentous occasions where the necessities of the times have given birth to specialised regulators. In a democratic country with elected representatives, a separate judiciary and a maze-like array of executive bodies, one can question the relevance of such insular entities in our legal system.

With the release of the Srikrishna Committee’s draft bill and report on data protection, you may have noticed that there has been talk of an entity called the Data Protection Authority (DPA). The Committee’s recommendations outline the features of a body that has so varied a mandate that some would find its task almost insurmountable. We need to think carefully about the DPA’s design and functioning before we welcome it into our regulatory ranks.

There are a number of aspects of data protection law that play a central role in determining the regulatory structures to be chosen. The data protection law is impossibly broad: it covers every area in which personal data is used and defends against the unique ways in which harms can emerge in each of these. It also has to be cognisant of how different fields have peculiar uses for information, deriving diverse benefits appropriate to that sector. In this, data protection goes beyond the IT sector and ranges from various private industries to all forms of public bodies. Even in terms of the number of entities covered, it is arguable that there is no regulatory field of broader application. To make matters more complicated, the breakneck pace of technological innovation can make the best of experts dizzy. How can we achieve this mandate with the bureaucratic structures that Indian regulators are traditionally linked with?

Some might say that the field was always meant for self-regulation, where entities enforce rules on themselves. Unfortunately this has been tried in other jurisdictions with little success. The US is a prime example of this. Broadly comparable instances where the European Union permits entities to act on their own discretion have come to be criticised. Particularly, the European right to be forgotten allows entities receiving deletion requests to make their own determination on the matter. In view of the serious implications on fundamental rights such as free speech, the Srikrishna Committee eschews this approach in favour of regulatory checks. Similarly, private entities in Europe may process personal data without consent for ‘legitimate interests’ by balancing the rights and interests of all involved. Here too, the Srikrishna Committee points to the scope for abuse by requiring that the DPA must specify ‘reasonable purposes’ itself after a similar balancing exercise.

Further, in view of the bewildering diversity and complexity of technical considerations in different sectors, adequate room for adaptation is made through two prongs: one, a statutory baseline is created in broad terms in the draft bill, and two, codes of practices are envisaged to ensure that appropriate rules are put in place in different contexts while respecting the minimum standards. For instance, while the draft bill refers to “appropriate” security safeguards and data retention for “as long as may be reasonably necessary”, what this would actually mean has to be made clear through contextual regulations and codes which must be issued by the DPA after consultation with the relevant stakeholders.

Yet others may say that the regulatory scheme should have been based around existing sectoral regulators. This ignores the fact that these authorities already have their hands full with their existing mandates. More important, it also fails to note that a coherent data protection law requires a unified vision with strong baseline principles put into action by a well-coordinated mechanism. Given that entities operate across sectors and different sectors also interact with each other on data, avoiding piecemeal enforcement requires dedicated resources with specialised technical skills. International practice concurs with this approach. Nonetheless, unlike in other Indian statutes, the draft bill envisages the DPA actively coordinating with other authorities to gauge the nuances in their respective fields.

The breadth, complexity and need for deterrence necessitates the setting up of an adequately staffed and trained DPA which is able to execute its mandate independently and effectively even when this might be against the myriad departments of the government that currently process personal data. The close link between the DPA’s functioning and the right to informational privacy in India is a unique aspect of this debate. The Puttaswamy judgment declares this right as fundamental to our polity and an effective watchdog is an attendant demand.

Damini Ghosh is senior resident fellow and Lalit Panda is research fellow with the Vidhi Centre for Legal Policy, New Delhi

The views expressed are personal

Originally Published: https://www.hindustantimes.com/analysis/india-needs-a-robust-data-protection-authority/story-s2f4XZJ5IK4wOCC8FzVyAK.html

Damini is a Senior Resident Fellow and Team Lead in the Public Law vertical and is currently involved in projects pertaining to regulation of digital economy and implementation of the Insolvency and Bankruptcy Code. Prior to joining Vidhi, Damini worked at Shardul Amarchand Mangaldas & Co and thereafter at Tuli & Co where she focused extensively on insurance regulatory advisory (non-contentious), product development and general corporate matters. Damini has also undertaken policy work and advised on several other regulatory issues arising under the foreign contribution laws, labelling rules of packaged commodities and laws governing drugs and cosmetics in India. She has also worked as a legal consultant to the Central Information Commission and advised on various issues arising under the Right to Information Act. Damini graduated from the National University of Juridical Sciences, Kolkata in 2008 with a B.A., LL.B. (Hons.) and completed her LL.M. from the University of Pennsylvania Law School in 2013 where she concentrated on regulatory laws and policy.
Link to full bio

About Lalit Panda:

Lalit is a Research Fellow with the Public Law vertical. At Vidhi, he has worked on a range of policy issues related to data protection, telecom laws, election law, public interest litigation, judicial independence, fiscal federalism, higher education and constitutional law. To these, he brings an abiding interest in the economic analysis of law and public choice theory.
A 2016 graduate of the Gujarat National Law University, he worked as a Consultant with the 21st Law Commission of India before joining Vidhi in 2017. In his spare time, Lalit pursues interests in literary and fantasy fiction, poetry, creative writing, as well as moral and political philosophy.
Link to full bio